A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use?


A. SSAE SOC 2
B. ISO 31000
C. NIST CSF
D. GDPR